Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Malwrologist Profile picture
Malwrologist
@DissectMalware
Cybersecurity researcher DM is always open xlmdeobfuscator: https://t.co/zlbtaqE1YS

Jul 29, 2018, 13 tweets

#linux #bash #obfuscation using octal vals
$'\143\141\164' really

gnu.org/software/bash/…
"Words of the form $'string' are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard."

Variations
$'\143'$'\141'$'\164' really
$'\143'''$'\141'''''''''''''$'\164' really
$'\143'''$'\141'''""''''""''$'\164' really

Explanation:
'' -> empty string
""-> empty string
'a''b' -> 'ab' (concatenation)

(deleted the previous one, as the picture had a problem)

To give you a headache

t=
$'\143'''$'\141'$t''"$t"''`$t`''$'\164' really

#bash #linux
Using null character as filler for command #obfuscation

#empty strings
$'\x0'
$'\x00'
$'\x'
$'\000'
$'\00'
$'\0'
$'\u0000'
$'\u000'
$'\u00'
$'\u0'
$'\u'
$'\u0000000000000000'
$'\x000000000000'
$'\00000000000000000000'

bonus?
#empty string
$'\u0000 anything you want enter here it will be ignored'

Explanation
\u0000 is a #null character, in bash end of string is a null character like c; thus anything after null is ignored

$'\143\141\164' is equivalent to 'cat'

really is a file

so basically we want to obfuscate the following command

cat really

* Correction
$'\u' and $'\x' are not #empty strings.

the picture is a little bit misleading, see the bonus to find out why.

For completeness
$'\U00000063\U0000061\U00074' really

"\UHHHHHHHH
the Unicode (ISO/IEC 10646) character whose value is the hexadecimal value HHHHHHHH (one to eight hex digits) "

Want to test yourself:

what this command do?
cat $'/e\u0`ec$(echo tset000 oh|rev)` > /dev/null/| rm /e't?/pa???d

(answer will be in the reply)

#bash #deobfuscation of the previous tweet
[1] $(echo tset000 oh|rev) # ho 000test
[2] `ec[1]` -> `echo 000test` # 000test
[3] $'/e\u0[2] > /dev/null/| rm /e' # '/e\u0000' after null will be truncated
[4] cat [3]t?/pa???d # cat /et?/pa???d
[5] cat /etc/passwd

Maybe this is clearer

@threadreaderapp unroll me #bashfuscation part 0

cc: @ItsReallyNick

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling